There are a spate of articles and blogs on the Regulation at the moment; how do you know which ones are worth reading?
Well, in my view, if the text does not include reference to the impact of the Recitals that are associated with any Article mentioned in the text, then the blog or article is likely to be incomplete.
The reason for this is that the role of the Recitals has been enhanced by the consistency mechanism of the Regulation; understanding this change is essential to your understanding of how the Regulation will be interpreted by the Data Protection Authorities.
Normally, Recitals are used by the Court of Justice of the European Union (CJEU) in order to establish what any Directive or Regulation means in the context of a particular case before the Court. Thus, for example, in the Google Spain or Ryneš, the Court explored the Recitals in order to justify its judgments (see references).
Note that for a case to be heard before the CJEU, someone (usually a data subject) has to undertake the long march through the legal institutions. For instance, Max Schrems, in order to get his day before the CJEU (re Facebook and Safe Harbor), had first to be rebuffed by the Irish Commissioner and the Irish Courts. This process requires enormous and persistent effort.
However, the General Data Protection Regulation is rather special; it is not only the CJEU that will use these Recitals; it will be the European Data Protection Board (EDPB) when it exercises its role of ensuring the Regulation is consistently applied across Europe.
An example will help explain the consequences of this change.
Suppose the UK’s Information Commissioner (ICO) interprets the definition of “personal data” in a similar way as in the current Data Protection Act (e.g. identifiability of the data subject has to be by the data controller) whereas the rest of Europe includes the impact of Recital 23 in the Regulation (i.e. identifiability of the data subject has to take account of all the means reasonably likely to be used …”either by the controller or by any other person to identify the individual directly or indirectly”).
Clearly the inclusion of “by any other person” means that the range of personal data subject to the Regulation would be narrower in the UK to the likely detriment to the position of UK data subjects.
Suppose further that the consistency mechanism is then applied, and the issue eventually reaches the EDPB for a decision. As an EDPB decision on interpretation is binding as far as the UK is concerned, the EDPB will use the Recitals to come to its conclusions (and as the Recital refer to identification “by any other person”, the ICO’s interpretation will be overturned).
Of course, there can be an appeal to the CJEU that the EDPB’s interpretation is wrong. However, in practice, the ICO will want to avoid being hauled through the coals to the EDPB and the way to do this is to incorporate the “by any other person” interpretation in his guidance on “personal data”.
A “long march through the institutions” by a data subject is therefore not needed; any long march, if required, is to the EDPB.
There is another reason why the Recitals are important as they contain important detail missing in the Article. For example, “when should you report a data loss?”.
Article 31 provides criteria when to report a data loss, but Recital 67 provides detailed examples of when actual data losses should be reported:
when a loss could “result in physical, material or moral damage to individuals such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage to the individual concerned”.
There is a final structural issue which is very important to note. When I was asked to contribute to the European Parliament’s discussions on the Regulation, I can remember a question from the floor of the Parliament on the lines of: Who should have the day to day responsibility for interpretation of data protection law in for example Codes of Conduct?
I replied by saying that such Codes could not carry much authority if they were produced by bodies representing data controllers or data subjects as they had vested interests to protect. I also added that Government was an enormous data controller (with the obvious conclusion following).
This left the Data Protection Authorities as the only organisations that would achieve an independent balance between the interests of data subjects and data controllers, subject to recourse to Courts in any case where a Code was inconsistent with the law.
This structure is not new; it was the formulation derived by the Lindop Committee back in 1978, when it too placed the responsibility on the Data Protection Authority to produce/approve Codes. So I am pleased to report on Data Protection Day, Lindop’s prescient recommendations have finally been implemented in the Regulation’s approach to Codes of Conduct.
In conclusion, however, don’t look at any Article without considering the related Recital; it is the Recital that is likely to carry some very important detail you need to consider.
If you want more, am holding half day DP Regulation Workshop in London on March 2nd
We also have a BCS DP Practitioner Qualification (starting in London on April 12 and in Edinburgh on April 25). BCS DP Foundation Certificate (starting in London on March 15-17). The day long PIA and Audit Courses are held on Feb 29 and March in London. Details of all our DP/FOI/CISMP courses in Leeds, London and Edinburgh are accessible by clicking the relevant buttons on the Amberhawk home page: www.amberhawk.com.
“C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González” can be downloaded from http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=req&
Domestic CCTV and Directive 95/46/EC (European Court of Justice (ECJ) Judgment in Case C-212/13 Ryneš): http://amberhawk.typepad.com/amberhawk/2014/12/what-does-the-ecj-ryne%C5%A1-ruling-mean-for-the-domestic-purpose-exemption.html
Report on Data Protection: Chair Sir Norman Lindop (Cmnd 7341, December 1978)